Mixing Windows/Forms Authentication Cross site

4
votes

I have two internet facing sites programmed in ASP.net: example.com and site1.example.com

Each one is deployed on it's own server in different geographical locations.

site1.example.com

  • Hosts a third party application
  • Uses forms for windows authentication (of local windows users)
  • I have full server access.
  • I can only modify config/view code (I can't modify binaries)

example.com

  • All custom code that I can change
  • Forms authentication against database

What needs to happen is

  1. User logs into example.com
  2. Windows credentials are retrieved from database (based on the current user logged in)
  3. User gets authenticated with site1.example.com in the background
  4. example.com links to resource on site1.example.com
  5. User is now able to access resources on site1.example.com

I have created this hack to make it work:

  1. Append encrypted credentials to site1.example.com login url
  2. Create hidden iFrame on example.com that points to special login url.
  3. Modify site1.example.com login page to
    • decrypt login credentials
    • type them into username/password box and click submit via JavaScript

What ends up happening is site1.example.com has to load twice before it's resources can become available (once to show the login page and once after the page is submitted) which can take some time.

Is there a way to have example.com authenticate with site1.example.com in the background in a single request (as apposed to two requests which I am doing now)?

Impersonate Identity seems promising on the site1.example.com side but will the code implementation of it work if I run it from a view?

Federated Identity seems like the key here but it is quite overwhelming. Can I implement it without modifying binaries on one end (examples)? Does it work with a mix of forms and windows authentication or does it just allow windows users to link up across different windows domains.

1
asp.netauthentication
Are you authenticating against AD (Active Directory)? Or FormsAuthentication against a database of hashed user credentials that is synced between the two different locations (so we ignore your "of local Windows users")? Or?Ted
@Ted example.com: FormsAuthentication with hashed credentials. site1.example.com: Has different users then example.com. Uses Forms for Windows Authentication. I assume its ADuser1886419
Maybe Forms Authentication Across Applications could work, but only if a Web farm can have two different servers by different providers. More info: msdn.microsoft.com/en-us/library/eb0zx8fc%28v=vs.100%29.aspx So I am not sure how a Web farm can be interpreted.jyrkim

1 Answers

1
votes

You can create a Forms Authentication ticket (in a cookie) in example.com that will be valid in site1.example.com. If a cookie is created to root domain then every subdomain can read the cookie.

The cookie must be set to root domain, and both applications must shared cookie name, cookie path and encription keys.

In example.com when user is authenticated:

web.config:

 <machineKey validation="AES" validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryption="AES" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"/> //key to encrypt auth ticket

In codebehind:

Dim sTicketEncriptado As String
Dim authTicket As New FormsAuthenticationTicket(1, userName, Date.Now, Date.Now.AddMinutes(timeOut), True, "")
encriptedTicket = FormsAuthentication.Encrypt(authTicket)
Dim authcookie As New HttpCookie("authCookieForSite1", encriptedTicket )
authcookie.HttpOnly = True
authcookie.Domain = example.com" //root domain, every subdomain can read this cookie
authcookie.Path = "/" 
Response.Cookies.Add(authcookie)

In site1.example.com just forms config to read the auth cookie:

<machineKey validation="AES" validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryption="AES" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"/> //key to decrypt auth tichet. Same machine keys that in example.com

<forms protection="All" path="/" domain="example.com" timeout="1439" enableCrossAppRedirects="true" cookieless="UseCookies" slidingExpiration="true" loginUrl="example.com" name="authCookieForSite1" defaultUrl="site1.example.com/default.aspx"/> //no login urt, go to example.com if no cookie is present

I'm doing this by heart. Sorry if you encounter mistakes but I'm sure you'll get the idea.